leaf.15781.com(botnet hosted with United States Lancaster Comcast Business Communications Inc)

Resolved : [leaf.15781.com] To []

Remote Host Port Number 9595 PASS prison 80 80

NICK {00-USA-XP-COMP-7851}
PONG leaf.15781.com
NICK {iNF-00-USA-XP-COMP-3925}
JOIN ###mini

Now talking in ###mini
Topic By: [ pe[ro ]
Modes On: [ ###mini ] [ +smntu ]

Now talking in ###USA
Topic On: [ ###USA ] [ .scan SVRSVC_ENG 100 10 0 -c ]
Topic By: [ pe[ro ]
Modes On: [ ###USA ] [ +smntu ]

Other details

* The following ports were open in the system:

Port Protocol Process
1053 TCP usbmgr.exe (%Windir%usbmgr.exe)
1055 TCP usbmgr.exe (%Windir%usbmgr.exe)
1056 TCP usbmgr.exe (%Windir%usbmgr.exe)

Registry Modifications

* The newly created Registry Value is:
o [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
+ Universal Serial Bus device = “usbmgr.exe”

so that usbmgr.exe runs every time Windows starts

Memory Modifications

* There was a new process created in the system:

Process Name Process Filename Main Module Size
usbmgr.exe %Windir%usbmgr.exe 368,640 bytes

* The following system service was modified:

Service Name Display Name New Status Service Filename
wscsvc Security Center “Stopped” %System%svchost.exe -k netsvcs

File System Modifications

* The following files were created in the system:

# Filename(s) File Size File Hash Alias
1 %Windir%nigzss.txt 0 bytes MD5: 0xD41D8CD98F00B204E9800998ECF8427E
SHA-1: 0xDA39A3EE5E6B4B0D3255BFEF95601890AFD80709 (not available)
2 [file and pathname of the sample #1]
%Windir%usbmgr.exe 131,139 bytes MD5: 0x273A6BE0D96125F62F2F2DECACB7329C
SHA-1: 0x78F191D4E368E108A29C63FF30BB2B1DBB482B3B Net-Worm.Win32.Kolab.new [Kaspersky Lab]
Backdoor:Win32/IRCbot.gen!K [Microsoft]
Net-Worm.Win32.Kolab [Ikarus]

infos about hosting:

Categories: Uncategorized